Data Protection and Dublin Bus

Data Protection and subject access requests

Dublin Bus holds sets of data relating to both customers and employees that would come under the remit of The Data Protection Acts 1998,/2003/ 2018. In compliance with existing legislation and ensuring the fundamental right to privacy, Dublin Bus works to ensure the application of best data protection practice within the organisation and that the eight key rules of data protection are adhered to.

The Data Protection Acts 1998/ 2003/2018 define eight fundamental rules which Dublin Bus must adhere to and they are:

Data must be obtained and processed fairly

Data must be kept for a specified and lawful purpose

Data must not be processed in ways that are incompatible with the original specified purpose

Data must be kept safe and secure

Data must be kept accurate and up to date

The data kept must be adequate, relevant and not excessive

It must not be retained for longer than is necessary

All data subjects (customers and employees) have a right of access to data concerning them held by Dublin Bus

These rules are enshrined in law and place legal obligations on Dublin Bus and grant legal rights to Data Subjects who, in this instance, are living customers and employees.

All Dublin Bus Data Protection policies and practices are monitored by Dublin Bus’s Data Protection Officer and will updated in line with changes in Data Protection legislation.

Key terms

The Data Protection Acts 1988/2003/2018 define a number of terms which include:

Personal data: Data relating to a living individual who is or can be identified from the data, or from data in conjunction with other information in the possession of the Data Controller. This includes CCTV footage.

Profiling: any form of automated processing of Personal data to evaluate certain personal aspects relating to a living person, in particular to analyse or predict aspects concerning the person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Data breach: the alteration, destruction, loss or unauthorised disclosure or access to personal data that is being processed by a controller or by a data processor on their behalf.

Anonymisation: Deleting all personal information from data so it is out of scope of Data Protection Law but can be used for business purposes.

Pseudonymisation:Processing personal data in a way that the subject cannot be identified without additional information that is stored separately and securely.

Data Subject: The living person to whom the data relates such as customers or employees.Data Controller: Dublin Bus as it controls the contents and use of personal data.

Data Processor: A third party who extracts information from personal data on behalf of a data controller. This service is undertaken under a contract of services. Dublin Bus is a data processor for the Leap Card whereas the controller for the Leap Card is the National Transport Authority (NTA).

Automated data: Data that is processed by means of equipment operating automatically. Examples of this include electronic records and CCTV footage

Manual data: Data that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. An example of this is a paper file.

Relevant filing system: Any set of information relating to a person that is structured either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific personal information is readily acceptable.

Section 4 of the Data Protection Acts 1988/2003/2018 entitles Dublin Bus customers and employees to copies of data relating to them which is held by Dublin Bus. In order to exercise this legal right, the following steps should be made:

The Data Subject should state that they wish to make a subject access request under the Data Protection Acts 1988/2003/2018.

The request should include the following:

Sufficient details to expedite the search

A copy of identification to verify who they are

All data relating to other third parties in the records will be redacted unless, As per Section 8 of the Data Protection Acts 1988/2003/2018, one of the following grounds is met:

If in the opinion of a Garda Chief Superintendent or higher or a member of the Permanent Defence Forces who hold rank not below colonel, the data is required for safeguarding the security of the State.

It is required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other monies owed payable to the state, local authority or health board.

It is required in the interests of protecting the international relations of the State.

Its disclosure is required urgently to prevent injury or other damage to the health of a person or serious loss or damage to property.

It is required under a piece of legislation or through a court order

It is required for the purpose of obtaining legal advice or as part legal proceedings

All other data subjects whose details are included in the records give their written consent to having their data disclosed.

Data is sought to investigate a crime or collecting monies owed to the State

If un-redacted data is being sought under the grounds of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other monies owed payable to the state, local authority or health board, an official email/letter must be sent to the Data Protection Officer confirming this.

Solicitors seeking to make an access request on behalf of their clientsIf un-redacted data is being sought by a solicitor under the grounds of obtaining legal advice or as part legal proceedings, the request should be sent to the Data Protection Executive and the solicitor should be advised that they should submit the following:

Sufficient details to expedite the search

A letter of authorisation from their client

A copy of identification to verify who their client is

Any customer who claims to be representing themselves in court must first produce a court order before un-redacted data will be released to them. This must be sent to the Data Protection Officer.

CCTV access requests under Data Protection Acts 1988/2003/2018CCTV footage comes within the scope of Data Protection legislation. In compliance with guidelines issued by the Office of Data Protection Commissioner, CCTV records will be released in pixilated video format. All personal data relating to other data subjects will be redacted.

Processing an access requestDublin Bus must action a subject accesses request within 30 calendar days of receipt of the initial request. Dublin Bus reserves the right to contact a data subject for additional information to help them expedite the process.Dublin Bus will issue the records to the subject via registered post. Dublin Bus reserves the right not to issue the records until it has received the fee and evidence of identity.

Other rights under the Data Protection Acts 1988/2003/2018

The Data Protection acts also confer upon living individuals the following rights:

The right to object to direct marketing.

The right to incorrect data rectified.

The right to erasure (exemptions apply to this right).

The right to data portability.

The right to not to subjected to wholly automated decision making (exemptions apply to this right).

The right to have your data deleted (exemptions apply to this right).

The right to prevent processing which causes damage or distress (exemptions apply to this right).

When seeking to exercise these right, Dublin Bus’s Data Protection Officer is the designated contact.

Making a complaint to the Data Protection Commissioner

If you are unhappy with how Dublin Bus has handled your access request, you are entitled to make a complaint to the Office of the Data Protection Commissioner. The contact details are as follows